How do security certificates work

how do security certificates work

Basically, any CA does exactly what it wishes to do. However, OS and browser vendors won't accept just any CA as a "trusted root". E.g. Microsoft runs a root certificate program which defines the contractual conditions that a CA must fulfil in order to get its root CA public key included in the "trusted store" of all Windows systems. These conditions include a lot of legal details, financial agreements (notably insurances), and also that the CA respects clearly documented procedures for everything it does. In practice, the CA will have to do some research to verify domain ownership and weed out obvious phishing attempts before granting a certificate.

The CA/Browser forum is an organization which tries to establish baseline requirements for such jobs. See also WebTrust. which aims at being a faithful incarnation of the principles set out by the CA/Browser forum.

Extended Validation certificates are certificates which have been issued by CA who follow strict requirements (including anti-phishing procedures), along the lines defined by these organizations. Browsers who comply to the CA/Browser forum guidelines are supposed to display EV certificates with a specific visual indication, and not to use that indication for non-EV certificates -- in effect, EV certificates are a method to define a whitelist of "good CA" within the jungle of existing CA.

(It has been noticed that though Microsoft and Firefox and Chrome have strict rules about inclusion of commercial CA, they can hardly politically afford to reject a "government CA" from any big enough government, although these CA are not necessarily well maintained and documented. "EV" is an answer to that sad state of things: browsers will include such dubious CA but won't tag them as "EV".)


Category: Insurance

Similar articles: